Java has been in the news a lot recently thanks to a rather messy response to a high profile Java security issue, CVE-2012-4681. This, and a related set of vulnerabilities which target the Java browser plug-in (CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547), have been generating headlines, particularly since attack code has been added to Blackhole, a notorious hacker's tool that bundles a large number of exploits and tries each in turn until it finds one that will work against a given machine. All four vulnerabilities affect Oracle Java SE 7 update 6 and earlier. 0547 also affects Java 6 update 34 and earlier.

Polish security start-up Security Explorations privately disclosed the flaw to both Oracle and Apple back in April. Oracle issued a patch on August the 30th (Java 7 update 7), shortly after news of the exploit first garnered significant media attention, but it now appears that the patch issued by Oracle is itself vulnerable. "I can confirm that a patched version of Java 7 update 7, released by Oracle on Aug 30, contains security vulnerabilities that can be used by attackers for a complete compromise of a Java security sandbox," Adam Gowdiak, founder and CEO of Security Explorations told InfoQ via email. "This includes the flaw discovered after the patch release and that was reported to Oracle on Aug 31."

Unlike the earlier vulnerabilities, no active attacks of the new flaw have yet been found in the wild, but Security Explorations' status page says that the firm included proof-of-concept code with the report to demonstrate that an exploit is possible.

Whilst Oracle is now providing Java SE 7 for OS X along with its other platforms, Apple still maintains Java 6 for its OS, and released a Java update on Wednesday 5th September which closes 0547. Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 also configures web browsers to not automatically run Java applets, and in addition will de-activate the Java web plug-in if no applets have been run for an extended period of time.

Apple has faced criticism for releasing Java updates months after they were already available to platforms supported by Oracle. Flashback, the infamous Trojan, demonstrates how real the risk is. It used a Java hole fixed by Oracle in February, but which was left unpatched on OS X until April, to create a 670,000 strain botnet of OS X machines. Since then however the firm has been faster to respond, and in June they issued an update in sync with Oracle for the first time.

The 4681 vulnerability also exists in IBM's Java runtime. A vulnerability notice and proof-of-concept code was sent to the vendor on 11th September.

Since the issue does not impact standalone Java desktop applications or Java running on servers, Java 7 users are advised, at a minimum, to disable the Java browser plugins, and either re-enable, or use an alternative browser, when Java is required. The United States Computer Emergency Readiness Team (US-CERT) provides further advice and instructions, and also recommends the more drastic measure of uninstalling Java entirely where possible.

InfoQ Weekly Newsletter

Join a community of over 250 K senior developers by signing up for our newsletter. If you are based in the EEA, please contact us so we can provide you with the protections afforded to you under EEA protection laws.

Is your profile up-to-date? Please take a moment to review and update.

Email Address

Note: If updating/changing your email, a validation request will be sent

Company name:

Keep current company name

Update Company name to:

Company role:

Keep current company role

Update company role to:

Company size:

Keep current company Size

Update company size to:

Country/Zone:

Keep current country/zone

Update country/zone to:

State/Province/Region:

Keep current state/province/region

Update state/province/region to:

Subscribe to our newsletter?

Subscribe to our architect newsletter?

Subscribe to our industry email notices?

You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.

We notice you're using an ad blocker

We understand why you use ad blockers. However to keep InfoQ free we need your support. InfoQ will not provide your data to third parties without individual opt-in consent. We only work with advertisers relevant to our readers. Please consider whitelisting us.